19:01:01 #startmeeting infra 19:01:02 Meeting started Tue Apr 7 19:01:01 2020 UTC and is due to finish in 60 minutes. The chair is clarkb. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:01:03 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:01:05 The meeting name has been set to 'infra' 19:01:12 #link http://lists.opendev.org/pipermail/service-discuss/2020-April/000000.html Our Agenda 19:01:13 o/ 19:01:20 #topic Announcements 19:01:46 For announcements the big one is the meeting is now here instead of #openstack-meeting. If you are in this cahnnel you already know that, but I had this up as a reminder to notify #openstack-meeting too 19:02:12 we've also got service-discuss@lists.opendev.org up and running. You should join that mailing list if you are interested in working on the services that comprose opendev 19:02:42 if you justwant important announcements service-announce@lists.opendev.org is a good option (and fungi has a change up to udpate that info on https://opendev.org with shiny links) 19:03:29 though the site does at least currently mention the new mailing lists 19:03:37 o/ 19:03:59 so that's a start 19:04:16 #link https://review.opendev.org/718188 Add IRC logs and ML subscribe links to opendev.org 19:04:23 (for the change clarkb mentioned) 19:04:27 fungi: did infra-manual get updated too? 19:04:42 there were no mentions of our ml in infra-manual as far as i could find 19:04:59 which i think is likely a glaring omission, but at least did not warrant correcting 19:05:09 o/ 19:05:27 adding it would be a good idea though 19:05:27 fungi: I think there may be one or two occurences. I'll try to take a look after the meeting 19:05:42 possible my git grep was wrong 19:06:03 o/ 19:06:12 so mordred will handle all of that then.. great! 19:06:21 works for me 19:06:25 clarkb: i take that back, it turns up the setup.cfg 19:06:38 which i noticed but figured was not worth correcting on its own 19:07:01 fungi: doc/source/index.rst and doc/source/creators.rst too looks like 19:07:07 #topic Priority Efforts 19:07:15 Lets dive right into the bulk of the meeting 19:07:23 #topic Update Config Management 19:07:43 mordred: you've been pushing most of this along the last little while. Would you like to summarize some of the updates to how we are config managementing now 19:07:58 clarkb: oh! i searched for the e-mail address, yep, we have the hyperlink in there, will fix 19:08:37 yes! so - there's this great stack everyone should review 19:08:50 https://review.opendev.org/#/q/topic:infra-prod-zuul+status:open 19:09:12 but we've made great progress on shifting things from running out of cron on bridge.openstack.org to being triggered by zuul 19:09:21 for many things things means we can insta-run them on landing 19:09:48 there are a few things where we have external deps (and in this case external also includes zuul) - where we still need to also run periodically 19:09:54 so we added a new hourly pipeline to run those in 19:10:16 the whole stack should be ready to go - it's just about landing things as we're comfortable 19:10:24 as a note - logs are not being collected and published by default 19:10:42 there is a flag for that and we should only set it on a per-job basis once we've verified that the logs don't contain secret infos 19:11:18 I've also got a dockerized etherpad in progress, and a patch up for dockerized zuul 19:11:33 https://review.opendev.org/#/c/718161/ is a change I wrote to make that verification of logs easier (as well as finding historical lgso in the current setup) 19:11:42 basically it will curate the logs on bridge for you 19:12:07 yah. end-goal should be that we don't have logs only on bridge- but it might take us a little bit to safely get tehre 19:12:25 oh nice 19:13:23 one thing that I thought about yseterday when debugging gerrit weirdness is we are still not running containered gerrit yet are we? 19:13:25 https://review.opendev.org/#/c/717620/ is the zuul patch fwiw - there is a blocker with that we'll need to figure out, which is using AFS from bubblewrap from inside docker 19:13:30 should we plan to make that restart happen soon? 19:13:33 clarkb: no - we need to do a restart 19:13:35 and yse 19:13:46 basically just need a stop/start cycle 19:13:53 so it shouldn't be a long downtime 19:14:01 maybe friday g=considering it is a holiday in many parts of the world? 19:14:07 ++ 19:14:08 not sure where the g= came from 19:14:22 google probably added it for you 19:14:46 g++ 19:15:05 (maybe gnu added it for you!) 19:15:51 alright anything else related to config management? 19:16:35 I think that's it from me 19:17:07 #topic OpenDev 19:18:00 Now that we've started getting the forward looking comms channels stuff set up I/we (though I'm volunteering, help apprecaited if interested) need to start the ball rolling on project leadership formalization as well as building the advisory board 19:18:22 Today is supposed to be nice and sunny so I'll work on drafting some emails to the list to kick that off (I'll share them in etherpads) 19:18:35 #link https://review.opendev.org/718193 Update contact info for OpenDev community 19:18:37 my picnic table should be well positioned for writing emails :) 19:18:53 just to follow up on my terrible git grep skills earlier 19:19:04 (infra-manual edits) 19:19:22 yup the other half of this is updating links and documents as necessary. If you find some old info please send up a patch or let someone know and we'll get a patch up 19:20:36 and more generally if you find documents that are out of date or could use a perspective shift let us know (doesn't have to be limited to the new comms channels) 19:20:53 the Get Started links on gitea are a good example of that turning out to be a positive chagne for everyone :) 19:21:45 fungi: did you want to talk about the authentication stuff now? 19:21:55 oh, yeah probably good to revisit that 19:22:19 mainly just thinking we're reaching the point where it warrants rekindling the sso efforts we've started multiple times in the past 19:22:28 ++ 19:22:42 revisiting some old ground, also seeing what might be new since the last time we looked 19:23:00 i was going to hit knikolla up for a bit more detail on the thing morgan had started working on for keystone 19:23:33 also i think i'm going to write a spec 19:23:50 even though it may be premature with no actual software identified we can use 19:24:15 we basically have no documentation i've been able to find anywhere of the discussions we've had previously about what it is we want out of an sso implementation 19:24:18 fungi: if it can identify specific use cases as well as what we need to transition from that would probably be helpful even without specific suggestions 19:24:19 it's worth noting that since last we looked the governance of dex has changed - and we also run things in containers now (which I believe was one of our concerns with it before, it was sort of "run me in containers" centric) 19:25:02 mordred: there is also a newish thing called gluu that I ran across 19:25:07 well, also some brief re-researching suggests we may want to consider options like completely dropping launchpad authentication 19:25:12 I believe we'd have to implement an openid v1 provider for dex if we wanted to use it and continuing having launchpad be a login source - but it _is_ an SSO proxy project, so other than lack of openid v1 it does seem to understand our use case 19:25:26 cool 19:25:39 * mordred is guessing we;ll have to add openidv1 support to _anything_ we wind 19:25:41 find 19:25:54 mordred: or give up on openidv1 entirely 19:26:00 it seems launchpad never moved beyond very early openid protocols, and none of the currently maintained identity solutions out there support the protocols it uses these days 19:26:46 launchpad implements some subsets of other things like saml and oauth but only for their internal usage apparently? I have no idea if that might provide us a stepping stone or not 19:26:56 but definitely interested to start writing all this down 19:27:01 so yes, we should weigh whether a coordinated forklift of users with no clean migration from launchpad is more or less work than writing openid v1 support into whatever we end up deciding on 19:27:18 agree 19:27:41 that was the biggest sticking point i recall morgan running up against in his last attempt 19:28:06 yeah - our existing login data being openid v1 from launchpad is challenging :) 19:28:07 so keeping in mind that may simply be an unsatisfyable requirement and considering alternative options 19:28:11 yup 19:28:40 I don't think we need to keep launchpad as an ongoing auth source - but I do think we should be able to migrate and have people still able to log in to their gerrit account 19:29:02 anyway, that's all i had, mostly just wanted to be sure folks think it's reasonable to whip up a spec to try and express what we want, even if we don't have more than a loose design plan so far 19:29:05 ++ 19:29:07 yes please 19:29:23 clarkb: gluu also doesn't support openidv1 19:29:28 mordred: ya basically nothing does 19:29:48 once google killed it everyone seemed to stop supporting it 19:30:18 it's pretty easy to add to anything written in python 19:30:22 i've also heard rumors that some red hat employees don't want to interact with opendev services because it requires them to sign in with an ubuntu account, so providing more neutrally-branded options will hopefully satisfy some of those seemingly irrational objections 19:30:37 clarkb: fwiw - dex does jwt (good for zuul) and gluu does UMA - so that's a thing we should consider too 19:31:12 fungi: for the record, I am not motivated by sectarianism, and might be anti-motivated by that 19:31:14 BUT 19:31:22 I still think we need a better SSO story 19:31:32 yes, which is my primary motivation 19:31:42 at the very least, if there's a spec (or even a draft spec), you can just point them at that and say 'patches welcome' 19:31:44 well, that and not being wholly dependent on a single identity provider we don't control 19:31:51 yup 19:31:52 corvus: yep, precisely 19:31:55 mordred: I believe UMA is a superset of jwt so it may all just work 19:31:59 clarkb: cool 19:32:06 (if it comes down to a uma providing tool being preferable) 19:32:27 oh - other differences - gluu is java, dex is go - neither is python 19:32:39 corvus: in fact i wanted to pass along the "patches welcome" invitation along with a link to our plan, and then realized i couldn't find it written down anywhere 19:33:06 but ya I'm not super concerned about specific tools as much as "the tools in the space ahs changed lets reevaluate with some concrete use cases/requirements/goals" 19:33:14 clarkb: ++ 19:33:15 i think there was a (draft) spec, i'm not sure we ever approved it? 19:33:35 corvus: maybe it got abandoned, i checked proposed specs and didn't see one 19:33:44 also possible i'm blind 19:34:08 if the old spec can be found i'm happy to resurrect/revise/whatever 19:34:16 will go back and look again to be certain 19:35:00 thanks! 19:35:30 it looks like ubuntu one uses oauth for the desktop portion of things 19:35:49 i wonder if there might be something usable there? 19:35:53 that sounds like it would have to be public-facing then 19:35:57 corvus: ya there is definitely some stuff to investigate there as option for migration 19:36:24 fungi: I believe its all public facing, but they don't do fully spec compliant implementations, they just do the subset they need for $usecase 19:36:26 (or continued support for people who want to keep using that) 19:36:40 so if our use case can fit into that subset (and we can figure out how to integrate with launchpad with no docs) that may be viable 19:36:42 maybe it's enough for a transition 19:36:43 yeah 19:37:42 also i just went back over open and abandoned specs and didn't find it. i thought i remembered an outline in a mailing list post (maybe from corvus) several years back, but my searching was insufficient to locate it 19:37:54 might be remembering the old idp poc 19:37:54 i thought mordred wrote it 19:37:59 ahh, perhaps 19:38:00 I think I might have sent the email 19:38:03 but I also can't find it 19:38:05 I remember writing it 19:38:19 well, at this point it's likely easier to just redo from scratch 19:38:21 enough has changed 19:38:32 i'll see what i come up with 19:38:38 yeah - I think the biggest benefit of finding it might have been the part where we describe the use case 19:39:14 anyway, didn't want to suck up this much of the meeting 19:39:43 there wasn't much else on the agenda. Why don't we finish that up then can continue this discussion after if we have time 19:39:57 Does anyone else have OpenDev related items to bring up (that was all I had)? 19:41:27 #topic General Topics 19:41:36 Only one entry here, the wiki entry. 19:41:50 fungi: fwiw I am happy to remove it, but since we've been good at ignoring the wiki in the past I don't want to forget it if there is movement on it 19:42:09 I don't think there has been recent movement. Let me know if you think its useful to have the check ins or if we should remove this from the agenda 19:42:56 there has not, i also am not sure it's useful to revisit weekly, but am unopposed 19:43:12 maybe i or someone will take it as a cue to do something 19:43:55 k 19:44:00 #topic Open Discussion 19:44:16 feel free to discuss the authentication stuff more now. Or bring up other items 19:44:53 i didn't really have anything else on that topic for now, but if folks had more suggestions i'm game 19:45:46 i'm making some progress on removing pip-and-virtualenv 19:46:21 basically going through zuul-jobs and figuring out where we've made assumptions that pip and virtualenv exist on the platform they're running on 19:47:36 this has come to more of a head with latest fedora's and suse's dropping python2 support, making changes required in the pip-and-virtualenv element that would make it even crazier than it already is 19:47:37 it's maybe worth mentioning there is a big pile of changes in zuul-jobs that just landed to rename things from install- to ensure- 19:48:02 ianw: ++ 19:48:14 good timing in that case! 19:48:22 yep, ensure-* seems to fit what we do much better 19:50:51 i feel like moving the meeting to our shiny new channel has also made it faster 19:51:06 fungi: there was also lots of fire fighting over the last week 19:51:09 or maybe it seemed that way 19:51:16 no, there definitely was 19:51:41 the past several weeks really 19:52:23 sounds like that may be it for the meeting? 19:52:31 I'll go ahead and call it a few minutes early. 19:52:33 THanks everyone! 19:52:35 our first early finish in... ages 19:52:36 #endmeeting